Christmas Dinner
First Flight #31
Beginner FriendlyFoundrySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Locked Ether After Deadline

freesultan

Summary

The ChristmasDinner contract allows Ether deposits via the receive() function, even after the deadline has passed. However, the refund function enforces a beforeDeadline restriction, preventing users from retrieving their Ether deposits after the deadline. This results in Ether being permanently locked in the contract if sent after the deadline.

Vulnerability Details

The receive() function does not enforce the beforeDeadline modifier, allowing users to send Ether to the contract even after the deadline has passed.

The refund function uses the beforeDeadline modifier, making it impossible for users to retrieve Ether deposited after the deadline.

Impact

Ether sent after the deadline becomes permanently locked in the contract, leading to financial loss for users.

Tools Used

Manual code review

Recommendations

create a dedicated function to refund Ether sent after the deadline:

function refundETHAfterDeadline() external nonReentrant {
address payable _to = payable(msg.sender);
uint256 refundValue = etherBalance[_to];
etherBalance[_to] = 0;
(bool success, ) = _to.call{value: refundValue}("");
require(success, "ETH refund failed");
emit Refunded(_to);
}
Updates

Lead Judging Commences

0xtimefliez Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

withdraw function lacks functionality to send ether

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.